This Week In Security - 12/23/2019
No More Secrets As China Rolls Out Cryptography Law
As of the 1st January 2020, foreign businesses operating in China will be forced to share all their secrets with the Chinese government.
In the next stage of China’s Cybersecurity Law, any firm operating in China will be forced to hand over encryption keys and stop using VPNs to safeguard their data. According to one expert, Gordon Chang, this will mean, “Everything they have in China on their networks will become available to the Ministry of State Security and the Communist Party”.
Not only will companies have to stop using encryption technology, but they may also be prevented from using private servers and VPNs. Many fear that officials in China may also use any data they seize to give state-owned businesses an advantage over their foreign competitors.
The US trade deal with China has yet to address these developments and Larry Kudlow, the White House economic adviser, admitted, “I don’t think we know enough about these new Chinese rules” while others, including Nigel Cory of the Information Technology and Innovation Foundation, are saying, “U.S. firms should be very concerned about how the Chinese government will actually enforce this law”.
Ransomware Gangs Up Their Game
As ransomware continues to spread like wildfire across the US, cybercriminals are finding new ways to pressure their victims into coughing up the cash. A group of cybercriminals linked to the Maze Ransomware strain has created its own website with the sole intention of outing companies that have refused to cough up.
Launched earlier this week, the website lists the names and websites of victims that have refused to pay the ransom and threatens that “their databases and private papers” will follow shortly.
Experts say this development, while shocking, was to be expected. According to Lawrence Abrams, the founder of the computer security blog, BleepingComputer, “For years, ransomware developers and affiliates have been telling victims that they must pay the ransom or stolen data would be publicly released”.
Despite such threats, however, it was only recently that cybercriminals followed through. Last month, Maze Ransomware released around 700MB worth of data onto a hacking forum after Allied Universal refused to pay up.
Companies infected with ransomware will need to treat the attack as a data breach and deal with it accordingly or face the possibility of confidential records being made public or even sold to the competition.
Mozilla Firefox Adds DNS-over-HTTPS to Boost User Privacy
The popular free web browser, Mozilla Firefox, this week announced it has taken yet another step towards online privacy by adding the DNS-over-HTTPS or DoH feature to its web browsers.
DoH encrypts all traffic traveling to and from the browser, including responses to DNS queries which often contain the user’s IP address. Although Firefox added its initial layer of DoH support in 2018, this required users to send all their Firefox DNS traffic to Cloudflare servers, making it complex and difficult to maintain.
The introduction of NextDNS, however, means a more streamlined system that will still protect your identity and protect your online privacy. NextDNS will not only limit how much data it collects from servers utilized by Firefox users, but it will also be transparent about what information they do collection and will not block, censor or filter DNS traffic unless requested to by a law enforcement agency.
Some cybersecurity experts predict that DoH could cause more problems than it solves, suggesting that DoH doesn’t prevent tracking and could even “allow attackers and insiders to bypass organizational controls”. Whether these skeptics are right or whether Mozilla Firefox’s latest developments will prove them wrong remains to be seen.
Encryption Gains Unlikely Advocate
It seems the Justice Department and the US Department of Defense aren’t playing by the same rules and while one attacks Facebook over its proposed end-to-end encryption, the other is saying “encryption is critical to the protection of our national security”.
A letter from the Defense Department’s Chief Information Officer, Dana Deasy, was forwarded to Senator Lindsay Graham – an ardent aggressor against encryption – earlier this week in what appears to be an attempt to educate him about the importance of encryption.
The letter was written in response to representative Ro Khanna’s request for information early this year and states, “As the use of mobile devices continues to expand, it is imperative that innovative security techniques, such as advanced encryption algorithms, are constantly maintained and improved to protect DoD information and resources”.
Khanna forwarded the letter to Graham “at a time when some in government would like to weaken encryption and create a ‘back-door’” in the hopes that he and other politicians with the same agenda “stop uncritically claiming that encryption is some sort of ‘debate’ between privacy and national security” when, in fact, it is critical to both.